-
Notifications
You must be signed in to change notification settings - Fork 0
/
cert-manager.tf
156 lines (126 loc) · 5.59 KB
/
cert-manager.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
resource "azurerm_user_assigned_identity" "cert_manager" {
location = var.location
resource_group_name = module.aks.node_resource_group
name = "wf-admin-cert-manager-${var.wayfinder_instance_id}"
tags = var.tags
}
resource "azurerm_role_assignment" "cert_manager_dns_contributor" {
count = var.clusterissuer == "letsencrypt-prod" ? 1 : 0
scope = var.dns_zone_id
role_definition_name = "DNS Zone Contributor"
principal_id = azurerm_user_assigned_identity.cert_manager.principal_id
}
resource "azurerm_role_assignment" "cert_manager_reader" {
scope = local.dns_resource_group_id
role_definition_name = "Reader"
principal_id = azurerm_user_assigned_identity.cert_manager.principal_id
}
data "azurerm_key_vault" "cert_kv" {
count = var.clusterissuer == "keyvault" ? 1 : 0
name = var.cert_manager_keyvault_name
resource_group_name = var.resource_group_name
}
resource "azurerm_role_assignment" "cert_manager_keyvault" {
count = var.clusterissuer == "keyvault" ? 1 : 0
scope = data.azurerm_key_vault.cert_kv[0].id
role_definition_name = "Key Vault Secrets User"
principal_id = azurerm_user_assigned_identity.cert_manager.principal_id
}
resource "azurerm_federated_identity_credential" "cert_manager" {
name = azurerm_user_assigned_identity.cert_manager.name
resource_group_name = azurerm_user_assigned_identity.cert_manager.resource_group_name
parent_id = azurerm_user_assigned_identity.cert_manager.id
audience = ["api://AzureADTokenExchange"]
issuer = module.aks.oidc_issuer_url
subject = "system:serviceaccount:cert-manager:cert-manager"
}
resource "kubectl_manifest" "certmanager_namespace" {
count = var.enable_k8s_resources ? 1 : 0
depends_on = [
module.aks,
]
yaml_body = templatefile("${path.module}/manifests/namespace.yml.tpl", {
namespace = "cert-manager"
})
}
resource "helm_release" "cert_manager" {
count = var.enable_k8s_resources ? 1 : 0
depends_on = [
kubectl_manifest.certmanager_namespace,
kubectl_manifest.cert_manager_clusterissuer_keyvault_secret,
azurerm_role_assignment.cert_manager_keyvault
]
namespace = "cert-manager"
create_namespace = false
name = "cert-manager"
repository = "https://charts.jetstack.io"
chart = "cert-manager"
version = "v1.14.5"
max_history = 5
values = [templatefile("${path.module}/manifests/cert-manager-values.yml.tpl", {
clusterissuer = var.clusterissuer
issuerkind = var.clusterissuer == "adcs-issuer" ? "ClusterAdcsIssuer" : "ClusterIssuer"
issuergroup = var.clusterissuer == "adcs-issuer" ? "adcs.certmanager.csf.nokia.com" : "cert-manager.io"
}), var.clusterissuer == "keyvault" ? templatefile("${path.module}/manifests/cert-manager-csi-values.yml.tpl", {}) : ""]
}
resource "kubectl_manifest" "cert_manager_clusterissuer" {
count = var.enable_k8s_resources && var.clusterissuer == "letsencrypt-prod" ? 1 : 0
depends_on = [
helm_release.cert_manager,
]
yaml_body = templatefile("${path.module}/manifests/cert-manager-clusterissuer.yml.tpl", {
email = var.clusterissuer_email
dns_zone_name = var.dns_zone_name
resource_group = local.dns_resource_group_name
subscription_id = data.azurerm_subscription.current.subscription_id
identity_client_id = azurerm_user_assigned_identity.cert_manager.client_id
})
}
resource "kubectl_manifest" "cert_manager_clusterissuer_vaas" {
count = var.enable_k8s_resources && var.clusterissuer == "vaas-issuer" ? 1 : 0
depends_on = [
helm_release.cert_manager,
kubectl_manifest.cert_manager_clusterissuer_vaas_secret
]
yaml_body = templatefile("${path.module}/manifests/cert-manager-clusterissuer-vaas.yml.tpl", {
venafi_zone = var.venafi_zone
})
}
resource "kubectl_manifest" "cert_manager_clusterissuer_vaas_secret" {
count = var.enable_k8s_resources && var.clusterissuer == "vaas-issuer" ? 1 : 0
depends_on = [
helm_release.cert_manager,
]
yaml_body = templatefile("${path.module}/manifests/cert-manager-clusterissuer-vaas-secret.yml.tpl", {
venafi_apikey = var.venafi_apikey
})
}
resource "kubectl_manifest" "cert_manager_clusterissuer_keyvault" {
count = var.enable_k8s_resources && var.clusterissuer == "keyvault" ? 1 : 0
depends_on = [
helm_release.cert_manager,
kubectl_manifest.cert_manager_clusterissuer_keyvault_secret
]
yaml_body = templatefile("${path.module}/manifests/cert-manager-clusterissuer-keyvault.yml.tpl", {})
}
resource "kubectl_manifest" "cert_manager_clusterissuer_keyvault_secret" {
count = var.enable_k8s_resources && var.clusterissuer == "keyvault" ? 1 : 0
depends_on = [
kubectl_manifest.certmanager_namespace
]
yaml_body = templatefile("${path.module}/manifests/cert-manager-clusterissuer-keyvault-secret.yml.tpl", {
keyvault_name = var.cert_manager_keyvault_name
keyvault_cert_name = var.cert_manager_keyvault_cert_name
cert_manager_client_id = azurerm_user_assigned_identity.cert_manager.client_id
tenant_id = data.azurerm_subscription.current.tenant_id
})
}
module "adcs" {
count = var.enable_k8s_resources && var.clusterissuer == "adcs-issuer" ? 1 : 0
source = "./modules/adcs"
adcs_url = var.adcs.url
username = var.adcs.username
password = var.adcs_password
adcs_ca_bundle = var.adcs.ca_bundle
certificate_template_name = var.adcs.certificate_template_name
}